10/27/2010 



espacenet — Bibliographic data 



Verfahren zur Authentisierung einer Chipkarte innerhalb eines 
Nachrichteniibertragungs-Netzwerks 



r: JP2002514024 (T) 
2002-05-14 



Inventor(s): 
Applicant(s): 
Classification: 

- international: G07F7/10; G09C1/00; H04L9/32; H04W12/06; G07F7/10; 

G09C1/00; H04L9/32; H04W12/00; (IPC1-7): G07F7/10; 
G09C1/00; H04L9/32 

- European: G07F7/10D; H04L29/06S8E; H04Q7/38A; H04W12/06 
Application number: JP20000547592T 19990427 

Priority number(s): DE19981020422 19980507; WO1999EP02848 19990427 



> published as: 

|DE19820422 (A1) 
|llS7080256 (B1) 
|CN1299497 (A) 
JAU3824199 (A) 
|ES2242395 (T3) 
f AT299612 (T) 
" 3957689 (A1) 
|EP1076887 (A1) 
|EP1076887 (B1) 
f HK1037415 (A1) 

: less 



Abstract not available for JP 2002514024 (T) 
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The invention relates to a method for authenticating a 
chip card (SIM) in a network for transmitting 
messages, preferably in a GSM network. According 
to said method, an optionally secret algorithm and a 
secret key are stored in a chip card (SIM). In order to 
authenticate the card, the network or a network 
component first transmits a random number to the 
chip card. A reply signal is then generated in said 
chip card using the algorithm, the random number and 
the secret key, and transmitted to the network or 
network component where the authenticity of the card 
is checked. The authentication message is formed by 
dividing the secret key and the random number 
transmitted by the network into at least two parts 
each. A part of the transmitted random number and 
one or more parts of the secret key are encoded with 
a single or multi-stage, preferably symmetrical 
computation algorithm. A selected part of the product 
of the encoding procedure is transmitted to the 
network in order to issue an authentication reply. 
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(57) ABSTRACT 

The [mention relates to a method tor authenticating a smart 
card (SIM) iu a messaging network, preferably a GSM 
network. \\ herein an optionally secret algorithm and a secret 
key are stored in a smart card (SIM), whereby for authen- 
tication the network or a network component first transfers 
a random number to the smart card, a response signal is 
generated in the smart card by means of the algorithm, the 
random number and the secret key, said signal being trans- 
mitted to the network or network component in order to 
check the authenticity of the card there. According to the 
invention both the secret key and the random number 
transferred b\ the network are split into at least two parts to 
form the authentication moss age. one part o I the transferred 
random number and one or more parts of the secret key 
being encrypted by means of a one- or inultistep. preferably 
symmetrical calculation algorithm. To output an authentica- 
tion response, a selectable part of the encryption result is 
transferred to the network. 

10 Claims, 2 Drawing Sheets 
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METHOD FOR AUTHENTICATING A CHIP obtained from the network for forming the authentication 

CARD IN A MESSAGE TRANSMISSION message and the channel coding key in each case. 

NETWORK A further advantageous embodiment of the invention 
provides that the secret kev stored in the card and the 

BACKGROUND OF THE INVENTION 5 random number sent by the network to the card are split into 
equally long parts. This permits the same calculation algo- 

1. Field of the Invention nthm to be used in both eases. The random number or secret 
This invention relates to a method for authenticating a key can be split by simply making a split "in the middle" or 

smart card in a messaging network, preferably a GSM by creating o\ erlapping partial areas. One can also effect a 

network, according to the preamble of claim 1. to split b\ w Inch the sum of the indiv idual pans is smaller than 

2. Description of Related Art the bit length of the random number or secret key. According 
In GSM systems it is known that for using the smart card to a further variant, a given number of bits of the random 

(subscriber identity module, SIM) the user must usually first number or secret key can be combined into a key or random 

identify himself as an authorized user by means of a personal number part according to a predetermined pattern or pseu- 

identification number (PIN). In order to avoid abuse at this 15 dorandomly. 

point, it is known to provide an error counter for the PIN As a further advantageous embodiment of the invention, 

entry to prevent further use of the card after a permissible one can use DES algorithms as calculation algorithms tor 

number of failed attempts is exceeded. authentication and lor channel coding. 

A lurlher system-relevant security measure is lo atithen- Another advantageous variant of the invention provides 

licalc the card vis-a-vis the mobile network. A secret key : > lor usm;i lhc p ro f or ybly one-step 11)1 A algorithm for cal- 

inaccessible from outside and an algorithm like-wise inac- culating the authentication parameters and' channel coding 

eessible from outside are stored in the card. Tor authenti- j^ C y s 

cation a random number is generated by the network or a Alternatively, one can calculate the authentication param- 

ncUu rk ° ,m l 11 11 111 11 1 11 lllslelml 1 ' ,k ' c:ird lllc c; " 1 eleis and channel coding keys usinu compression algo- 

then calculates from the random number and secret key by 2< nthms preferab]y cr yp togra phic compression algorithms 

means ol the algorithm present m the card a response winch whose output valui . s h;n c , a sma u er length than the input 

it transiers to the network. This response is analyzed in the parameters 

network and, if the result is positive, access to the network Tq jncrease securf ft k advant t0 use m at least 

allowed. The corresponding procedure is ^ cakul U| n ;, (h| v hereby , tripk 



scribed in the relevant (ISM specifications. 

[work protected as slated above involves the danger 



rithm proves especially sale. With this algorithm one lirst 
encrypts with a first part of the key and a part of the ra 



that attacks on the algorithm used for authentication permit number> (hen m dec) [m o| ^ resul( with ^ 
tire network to be simulated „, a computer for example by seQ , nd a[ (hc kcv ;md ||na||y ;| fm[hcr 

e.g. selected random numbers being transmitted to the calculation with the firs: n of the kev a in For tne last 

SIM card according to the standardized protocol and the 35 jon ^ the fet of ^ ^ one cm adyanta . 

secret key of the smart card being determined therefrom, , use a neW) ^ ^ jn jcu]ar tf ^ k , 

alter several authenlicalion attempts. II the algorithm of the into three key parts 

card is addilionallv known, essential functional elements of " ' " ,,. . , . 

. . . .' , , ... , , . A lurlhc id iiii i>eou enibi hmenl ol lh in 'inn 

rftL a lcrel ke S1 40 n * uhs if the SeleC,ion of the firSt ° r SeCOnd part ° f the 
y ' random number is effected alternatingly for authentication 

SUMMARY OF THE INVENTION and ca ' cl, ' al ' on lhc channel coding, this alternation being 

executed randomly or pscudorandoniK and the selection 

II 1, Ltaeta objective of He invaUion Co pro.id. ■ k ™8 * cld '" ,he °™ WI V " "» ™ d "» »•"»*■ 
^ZZZZtt'^SZZZZ' BRIEF DESCRIPTION OF THE DRAWINGS 
authenlicalion result lo the subscribing smart card, as cus- 
tomary in the GSM network for example. The Mention will be described more closely in the 

Advantageous embodiments of the invention are stated in following with reference to FIGS. 1 to 3. 

the dependent claims. s i ' ' shows the sequence of cryptographic functions of 

The invention provides for forming the authenlicalion ule SIM in the GSM network, 
message by forming at least two parts from both the secret FIG. 2 shows a block diagram of triple DES encryption, 

key and the random number transferred by the network, one FIG. 3 shows examples of the split of the secret key and 
of the parts of the transferred random number and one or random number, 

more parts of the secret key being encrypted by means of a 55 
one- or multistep, preferably symmetrical calculation algo- 
rithm. To output an authenlicalii m message, a selectable part 
of the result calculated according lo the authentication 

algorithm is transferred to the network. The sequence shown in FIG. 1 assumes that the custom- 

An advantageous embodiment of the invention prov ides 60 ary. preceding process of PIN verification has been com- 
for generating the channel coding kev in the same wa\ pleted Subsequen lv. I nobile unit in nub n I 1 if 
There loo it is prov idea thai, if key and random number are located sends lo the network a message which contains IMS! 
splil into tw o parts tor example, eilher the first or the second (international mobile subscriber identity .! information or 
part of the transferred random number is linked with the lirsl TMSI (temporary mobile subscriber identity) information 

and/or second part of the secret kev with a one- or multistep 65 Secret key K, is determined from the IMSI or TMSI in the 
algorithm in order to obtain a channel coding key. One network according to a given function or by means of a 
preferabh uses different parts of the random number table. The same key is also stored in smart card SIM in an 
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inaccessible memory space. The secret key is required for 
later verification of the authentication process. 

The network then initiates the authentication process by 
calculating random number RANI) and transferring it via 
the air interface to smart card SIM. 

Authentication parameter SKI 'S is thereupon limned in 
the smart card by moaih id an authentication algorithm from 
secret key K, and random number RAND, said parameter 
being in turn transferred \ia the air interlace to the network. 
According to the invention, at least two random numbers 
RANDj and RAND 2 are derived from random number 
RAND. Random numbers RANDj and RAND 2 can be 
obtained by division or a selection from random number 
RAND or by a calculation algorithm. 

Authentication is affected with a two-step algorithm in the 1 
example according to FIG. 1 first, as indicated in 1 1(1. 1. 
first part RAND; of the random number is encrypted with 
first part K, id key K, likewise split into two parts. The result 
of said first step is subsequently encrypted in a second step 
with second part K 2 of the key. For calculation with the 2 
aulbenlication algorithm one can of course also use second 
part RAND, of the random number first and change the 
order of using first and second key parts Kj and K 2 . 

Authentication parameter SRI IS' is meanw hile likewise 
formed in the network in the same way as in the card by 2 
means of the aulbenlication algorithm and random number 
RAND (RAND |, RANDJ and secret key Ki (K„ K 2 ). 
Parameter SRES' is then compared in the network with 
authentication parameter SRI S ohiained Irom the curd. If 
authentication parameters SRES' and SRES match, the 3 
authentication process is completed successfully. If the 
authentication parameters do not match, the subscriber's 
card is regarded as unauthenticated. It should be noted here 
that one can also form SRES or SRES' using only parts of 
the result obtained by the encryption. 3 

In the same way as the authentication parameters are 
generated, key Kc for channel coding for data and speech 
transmission is generated in the card and ihc network. One 
preferably uses as the input parameter the part of random 
number RAND not used in authentication. 4 

FIG. 2 shows an adv antageous example by which calcu- 
lation with the aulbenlication algorithm and or channel 
coding is executed by a triple Df S algorithm. According to 
Ibis algorithm, pari RANI), or RAND, of the random 
number is first encrypted with lirsl key pari K,. In the next 1 
step decryption is effected with K 2 . The result is then 
encrypted with K, again or. if the random number/key is 
split into a plurality of part,, with a third part of the key. The 
channel coding is formed in the same way. The correspond- 
ing algorithms arc used in the network in each case. 5 

Without restricting universality, the description id' the 
examples according to fdCiS. 1 and 2 assumed a two- or 
three-step, symmetrical encryption algorithm. I he inventive 
idea, which consists of splitting the random number and 
secret key, can of course also be executed with oilier, s 
common encryption or calculatii n algorithms. By way of 
example, mention is made of not only the DES algorithms 
(A3; A8) but also IDEA. The stated algorithms can also be 
executed in one step, whereby different parts of the key 
and or random number are preferably generated for authen- « 
tication and generation of channel coding key Kc. 

FIGS. 3a to e give examples of ways of splitting secret 
key K,. or random number RAND. 

FIG. 3a shows key K, or random number RAND with a 
length of 128 bits. 



FIG. 3b shows a split into two equal parts K t and K 2 
(RANDj, RAND-), the split being made in the middle. Part 
1 contains bit 1 to bit 64, part 2 contains bit 65 to bit 128. 
FIG. 3c shows an overlapping split, and FIG. 3d shows a 
split by which the odd bits are assigned to part 1 and the ev en 
bits to part 2. FIG. 3e finally shows a split by which the sum 
of the bit positions of parts I and 2 is smaller than the bit 
positions of the initial key or random number. 

The invention claimed is: 

f. A method for authenticating a smart card (SIM) in a 
messaging netw ork. w herein an algorithm and a secret key- 
are stored in a smart card (SIM i. whereby for authentication 

the network or a network component lirsl transfers a 
random number (RAND) to the smart card, 

a response signal (SRIiS) is generated therefrom in the 
smart card by means of the algorithm and the secret key 
(K,) and transmitted to the network or network com- 
ponent, characterized in that 

to form the response signal i SRI S the secret key ( K/i and 
the random number (RAND) are each split into at least 
two parts (K„ K 2 ; RAND 1; RAND 2 ), 

one of the parts (RAND^ RANDj of the transferred 
random number (RAND) is encrypted with the aid of 
one or more parts (K ls K 2 ) of the secret key (K,) by- 
means of a one- or mullistep algorithm. 

2. \ method according to claim 1. characterized in thai a 
given number of bits is selected from the encryption result 
and transferred as a signal response (SRES) to the network. 

3. A method according to claim 1. characterized in lhat a 
part of the transferred random number (RAND) and one or 
more parts of the secret key (K,) are used to calculate a 
channel coding key (KJ by means of a one- or multistep 

algorithm, at leasl one part of die calculalmn result being 
used as the channel coding key (KJ. 

4. A method according to claim 1 , characterized in that the 
key (K[) and the random number ' RAND) are split into two 
equally long parts (K L , Ky'RANDj, RAND 2 ). 

5. A method according to claim 1, characterized in that 
DES algorithms are used to calculate at least one of the 
authentication parameters (SRf S. SRfS'i and the channel 
coding key (K r ). 

6. A method according to claim 1. characterized in thai an 
IDEA algorithm is used to calculate the authenticatf n 
parameters (SRES, SRES') and the channel coding key (K c ). 

7. A method according to claim 1, characterized in that a 
compression algorithm whose output value has a smaller 
length than the input parameter is used to calculate the 
authenlicalion parameters (SRf S. SRIiS'i and the channel 
coiling key (KJ. 

X. A method according to claim 7. characterized in that the 
calculation ol the authenlicalion parameters is effected in an 
at least two-step algorithm. 

9. \ method according to claim I. characterized in thai a 
triple DES algorithm is used as an encryption algorithm, 
whereby one first encrypts with the first part (KJ of the key 
(K,), then decrypts with the second part (K 2 ) of the key (K\) 
and thereupon encrypts again with the first part (Kl) or a 
third part of the key (K,), by means of a one- or multistep 
algorithm. 

ft). A method according ti claim 1. characterized in lhat 
a selection of the first or second part of the random number 
(RAND) is effected in the same way in the card and the 
network in random oi pseudorandom alternation. 



